With Secure Email for Individual certificates, secure emails from public email service providers such as Gmail, Outlook, Yahoo, Hotmail, and MSN and on your email domains.
Use Secure Email certificates to sign and encrypt your emails. Signing authenticates your emails as coming from you, adding an extra level of assurance for recipients, while encryption protects sensitive email data.
Important
End of life for the Legacy certificate profile
On July 1, 2025, DigiCert will no longer accept Secure Email certificate requests using the Legacy certificate profile. All new certificate requests must use the Strict or Multipurpose certificate profile. This change affects new, renewed, and reissued certificate requests.
To learn more about this change:
This section outlines some things you may want to consider or tasks to complete before you order your Secure Email for Individual certificate. For example, you may need additional information about certificate profiles or want to complete specific tasks, such as generating a certificate signing request (CSR).
You must provide a certificate signing request (CSR) before DigiCert can issue your Secure Email for Individual certificate. You can include a CSR with your request. Or, after submitting your request, you can generate it in the browser.
Include a CSR with your request
To include a CSR with your request, generate the CSR before you start the renewal process. We only use the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored. Learn how to Create a CSR (Certificate Signing Request).
Note: You can only add a CSR when you place your renewal request. After submitting your order, you cannot add or update a CSR.
Generate the CSR after submitting the request
To generate the CSR after you've submitted the request, we will send instructions to the email recipient for generating the CSR and certificate in their browser. See below: Getting your Secure Email for Individual certificate.
Algorithm | Key lengths |
|---|---|
RSA (Rivest-Shamir-Adleman) | 2048, 3072, and 4096 |
ECC (elliptical curve cryptography) | p-256 and p-384 |
Before filling out the certificate order form, you must select a certificate profile for your Secure Email for Individual certificate. DigiCert currently supports three profiles: Multipurpose, Strict, and Legacy.
Profile | Validity | Additional usages |
|---|---|---|
Strict | 1 and 2-year certificates | Non-repudiation |
Multipurpose | 1 and 2-year certificates | Non-repudiation, data encipherment, and client authentication |
Legacy | 1, 2, and 3-year certificates | Non-repudiation, data encipherment, and client authentication |
| ||
Below are detailed instructions for ordering a Secure Email for Individual certificate.
In the left main menu, go to Request a Certificate > Secure Email Certificates > Secure Email for Individual.
On the Request Secure Email for Individual Certificate page, in the For menu, select the division to manage the certificate.
The For menu only appears if your account uses Divisions.
Profile option
In the menu, select the profile you want to use for your certificate:
Strict
Use this profile if you only need a certificate to secure your email or are unsure which profile to select. This profile supports 1 and 2-year certificate validity and Non-repudiation certificate usage.
Multipurpose
Use this profile if you need the additional certificate usage it supports. This profile supports 1 and 2-year certificate validity and Non-repudiation, Data encipherment, and Client authentication certificate usage.
Legacy
Only use this profile if you have a specific reason for using it. Otherwise, use Multipurpose, which supports the same certificate usages. This profile supports 1, 2, and 3-year certificate validity and Non-repudiation, Data encipherment, and Client authentication certificate usage.
Certificate validity
On the Request Secure Email for Individual Certificate page, under Certificate validity, do the following:
Validity period
Select a validity period for the certificate:
1 year
2 years
3 years – only available with the Legacy profile
custom expiration date
For the Legacy profile, the expiration date must be within 1184 days of the date you request the certificate.
For the Multipurpose and Strict profiles, the expiration date must be within 824 days of the date you request the certificate.
custom length
For the Legacy profile, maximum length is 1184 days.
For Multipurpose and Strict profiles, length validity is 824 days.
Auto-renew
To set up automatic renewal for this certificate, check Auto-renew order 30 days before expiration.
With auto-renew enabled, DigiCert automatically submits a request to renew the order thirty days before it expires. This option is not available if you pay with a credit card.
You must charge the order to the account balance to use the automatic renewal option. To configure your account's finance settings, in the left main menu, go to Finances > Settings.
Add your CSR
You can add your CSR now or generate it in your browser after DigiCert processes your order, and we are ready to issue it.
Generate CSR in the browser
To generate the CSR and your certificate via the browser, select Generate CSR in the browser.
For this option, we send instructions to the email recipient for using the DigiCert KeyGen tool to generate the CSR and certificate in their browser.
I have my CSR
You can only add a CSR when placing your request. After submitting your order, you cannot add or update a CSR.
Use your CSR to specify the algorithm (RSA or ECC) and key size (e.g., 2048 (RSA) or p-256 (ECC)) for your certificate.
To include a CSR with your request, select I have my CSR.
Then, upload or paste your CSR in the box.
Your CSR must include the
-----BEGIN NEW CERTIFICATE REQUEST-----and-----END NEW CERTIFICATE REQUEST-----tags.
Certificate email
Common name (email)
In the box, enter the recipient email address you want to secure, and appear as the common name on the certificate.
Additional recipient email address(es)
In the box, enter any additional email addresses you want to secure with the certificate. You can leave this box empty.
Additional certificate options
Certificate key size
When generating the certificate via your browser, you can select your certificate's algorithm and key size. DigiCert recommends using RSA 2048 unless you have specific reasons for using a different key size (company policy requires a 3072-bit key size).
In the Certificate key size menu, select the algorithm and key size for generating your CSR:
RSA 2048, 3072, or 4096
ECC p-256 or p-384
DigiCert recommends using RSA 2048 unless you have specific reasons for using a different key size (e.g., company policy requires a 3072-bit key size).
Certificate use
By default, DigiCert Secure Email certificates are dual use for signing and encryption. However, you can update the certificate usage to meet your needs.
RSA options
To view and use the RSA options, add an RSA CSR to the request form or generate the CSR via the browser and select an RSA key size.
Certificate use
Additional certificate usages
Dual use - email signing and encryption
Non-repudiation
Data encipherment – only available with the Multipurpose and Legacy profiles
Client authentication – only available with the Multipurpose and Legacy profiles
Email signing only
Non-repudiation
Client authentication – only available with the Multipurpose and Legacy profiles
Email encryption only
Data encipherment – only available with the Multipurpose and Legacy profiles
Client authentication – only available with the Multipurpose and Legacy profiles
ECC options
To view and use the ECC options, add an ECC CSR to the request form or generate the CSR via the browser and select an ECC key size.
Certificate use
Additional certificate usages
Dual use - email signing and encryption
Non-repudiation
Client authentication – only available with the Multipurpose and Legacy profiles
Restrict key agreement
Encipher only
Decipher only
Email signing only
Non-repudiation
Client authentication – only available with the Multipurpose and Legacy profiles
Email encryption only
Client authentication – only available with the Multipurpose and Legacy profiles
Restrict key agreement
Encipher only
Decipher only
Signature Hash
DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm by default. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm (company policy requires a 3072-bit key size or an RSASSA-PSS signature).
In the Signature Hash menu, select the signature hash (SHA-256, -384, or -512) and signing algorithm (RSA or RSASSA-PSS) you want DigiCert to use for your certificate.
Signature hash + RSA
Signature hash + RSASSA-PSS
SHA-256 with RSA
SHA-256 with RSASSA-PSS
SHA-384 with RSA
SHA-384 with RSASSA-PSS
SHA-512 with RSA
SHA-512 with RSASSA-PSS
For ECC certificates, there is a one-to-one correlation between the signature hash and the signing algorithm:
With the ECC p-256 key size, your certificate includes a SHA-256 signature hash with an ECDSA signing algorithm.
With the ECC p-384 key size, your certificate includes a SHA-384 signature hash with an ECDSA signing algorithm.
Important
The industry does not support issuing ECC certificates with an RSASSA-PSS signing algorithm. If you require an RSASSA-PSS signature, get an RSA certificate instead.
Additional order options
Expand Additional order options and add information as needed.
The information in this section is not required to issue your certificate. Adding comments and messaging are optional.
Additional Renewal Message (optional)
To create a renewal message for this certificate, type a renewal message with information that might be relevant to the certificate’s renewal.
Comments and renewal messages are not included in the certificate.
Additional emails (optional)
Enter the email addresses (comma separated) for the people you want to receive the certificate notification emails with information such as certificate issuance and certificate renewals. These recipients don't manage the order. They only receive all the certificate-related emails.
Select payment method
Under Payment information, select a payment method to pay for the certificate:
Pay with credit card
We authorize the credit card when you make the request. However, we only complete the transaction once we issue your certificate.
Pay with contract terms
When you have a contract, it is the default payment method.
Pay with account balance
Bill the cost to your account balance. To deposit funds, select the Deposit link. Selecting the link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.
Master Services Agreement
Read through the Master Services Agreement.
Select Submit Request.
By selecting Submit Request, you agree to the Master Service Agreement.
CertCentral takes you to the Secure Email for Individual certificate's Order # details page, where you can see the status of your order, what you need to do, and what DigiCert needs to do before we can issue your certificate.
DigiCert sends an email containing a link to each email address listed in the certificate request so the recipient can validate that they own that email address. If the certificate recipient loses a validation email, you can resend it. See How to resend an email validation for DigiCert "client certificate" email.
Opted to generate the CSR in the browser
After all email addresses are validated, CertCentral sends an email with a link to the first email address on the list so the recipient can generate the CSR and Secure Email for Individual certificate via the browser. Learn how to Generate your client certificate using DigiCert's KeyGen tool.
Included a CSR with your certificate order
After all email addresses are validated, CertCentral sends the "client certificate issued" email with the certificate attached. You can also download a copy from CertCentral.